Next story in Tech and gadgets

It's not easy. For one, we know from documents released by Edward
Snowden that the NSA can — not necessarily does, just can —
surveil massive amounts of electronic communication, storing what
it finds in an extensive database for later analysis.

However, there is a limit to what the NSA can do: if your
communications are encrypted with a strong enough password (at
least 20 random characters) and the NSA intercepts your message,
all they'll see is encoded gibberish.

So how do you encrypt your email? Turns out, it's not easy.
Lavabit, a free service that used to offer end-to-end encrypted
email, has shut down, and Silent Circle, which offers a suite of
encrypted communication apps,
recently closed down its secure email service.

That leaves you wading through the confusing, poorly documented
tangle of open-source programs and software projects.

Finding an up-to-date program that uses proven encryption
algorithms is the easiest part. Then you need to find something
that works with your computer setup — something compatible with
your operating system, desktop email clients and email service.

If you type all these criteria into Google — "Gmail Chrome
encryption," for example — you'll find several Chrome apps to
choose from. However, most encryption programs are still
difficult to use because their graphical user interfaces (GUIs)
are either roughshod or nonexistent. This means users have to
navigate many complicated menus or even use the command line to
type instructions.

It's hard to ask an average technology user to put in that kind
of effort.

"To the extent that [the security] space needs innovation, it is
not in the area of cryptography, but in the area of user
experience," said Moxie Marlinspike, a security and encryption
expert best known for co-founding Whisper Systems, a data
security company acquired by Twitter in 2011.

Earlier this summer, Google argued in court that its millions of
Gmail email users had no "objectively reasonable expectation of
confidentiality," and that the company had every right to examine
all correspondence that passed through its servers.

This may seem shocking, but Google is correct: Legally, it's no
surprise that Gmail communications aren't necessarily private.

In the past, people who wanted guaranteed email privacy could
turn to services such as Lavabit and Silent Circle. But after it
was revealed that former NSA contractor
Edward Snowden used Lavabit, possibly to avoid NSA detection
while collecting and leaking hundreds of confidential documents,
the service shut down, citing unspecified legal difficulties.

"Without congressional action or a strong judicial precedent, I
would strongly recommend against anyone trusting their private
data to a company with physical ties to the United States,"
Lavabit founder Ladar Levison posted on the now-inoperable
website.

A day after Lavabit shut down, Silent Circle shut down its own
encrypted email service, though its encrypted mobile apps such as
Silent Phone and Silent Text are still available. Silent Circle's
chief technology officer, Jon Callas, wrote that the company had
decided to end its email service because it could no longer
ensure its users' security.

The name PGP originally referred to open-source encryption
software developed in 1991. PGP was so influential that its
encryption method, called the "OpenPGP Standard," still forms the
basis of most encryption software, apps, plugins and other
services found today.

Security firm Symantec eventually bought the original software
named PGP, which is now incorporated into Symantec's paid
services. But when people say "PGP," they are usually referring
to any kind of software that follows the OpenPGP standard.

PGP-based encryption is still popular for a number of reasons.
For one, every OpenPGP user has two encryption "keys," or pieces
of information that make an encryption algorithm work, similar to
the way a key opens a lock.

One of these keys is public, and one is private. So if you want
people to be able to send you encrypted messages, you can give
them your "public key." Using this key, your correspondents can
encrypt their message so that only you, using your corresponding
"private key," can unlock and read the message.

The advantage of this system is that I don't have to worry about
my public key falling into the wrong hands. So long as my private
key is safe, I can publish my public key on a website, or email
it in an unencrypted email, which makes it easy to set up a
secure connection with other OpenPGP users.

This all sounds great in theory, but unless you want to spend
more than $100 for Symantec's PGP software, you're going to find
that setting up a PGP encryption is easier said than done.

Security expert Robert David Graham of Errata Security called PGP
"more trouble than it's worth." However, he said, PGP is probably
the best place to start for someone new to encryption.

All of the OpenPGP authorities — insofar as authorities exist in
open-source software development — have websites that look
straight out of the 1990s.

The site you want is www.gnupg.org, which distributes free,
open-source software called GnuPG, or GPG for short, that's based
on the OpenPGP standard. GPG was written for users of the Linux
and GNU operating systems, but the website also contains links to
installation packages for Windows (gpg4Win) and Mac (GPGTools).

You're finally in the right place! Now all that's left is a solid
hour or two of setup as you make your way through gpg4Win or
GPGTools' long, but thorough instruction manuals. By the end of
it, you'll have PGP-based encryption functioning on Outlook for
Windows (if you used gpg4Win) or Apple's OS X Mail app (if you
used GPG Tools).

But what if you don't use either of those clients, but instead
use a browser? If you want to send and receive encrypted email
via a browser-based email service, or webmail, you can install a
browser-specific plugin. That plugin will act as a bridge between
your browser and the PGP software already downloaded onto your
computer.

To find the appropriate plugin, check your browser's app store or
do a Google search for your browser's name plus "PGP plugin."

Why isn't there an easier way to go about setting up PGP?
Marlinspike says it's more than just a simple question of
developing better user interfaces.

"When it comes to secure email, it has long been time to throw
out the PGP model and start over," Marlinspike told us.
"Unfortunately, however, for the past 13 years, the development
of a usable secure email system has been blocked by one thing:
webmail."

People love the convenience of webmail, but it's just not as
secure as a desktop client, and therefore many cryptographers
simply don't bother writing browser plugins for email encryption.
"It is simply not possible to produce a secure email system that
works in the webmail context," Marlinspike told us. "So most
people who are interested in working on secure email haven't even
bothered, because it's a non-starter."

Marlinspike says there are no browser-based encryption services
that he could recommend "with a straight face."

In email, as with all online communications, privacy comes at the
expense of convenience. So it's up to users whether they want to
switch to desktop email, and thus increase their security, or
continue to use webmail.

"It's a matter of tradeoffs," said Graham. "How much time do you
want to spend learning this stuff, and how much do you fear the
NSA?"